On 11/04/2014 02:26 PM, James Lay wrote:
Thanks a bunch Christos,
That list of IP's is things like apple.com, textnow.me, and windows
updates...IP's that simply don't bump well. My setup is a linux box
that's a router...one NIC internal IP, the other external IP. Via
iptables redirect, I'm transparently intercepting the web traffic of a
few devices, only allowing them access to the list of sites in url.txt.
At issue with using the broken_sites list, is that I have to just
specify large chucks of netblocks, which I lose control and visibility
of. What I'm really hoping for is for a way for squid to be able to, in
my case at least, look at either the server_name extension in the Client
You need to build your own external_acl helper which will take as input
the client sni (server_name extension). Read squid wiki for informations
about external acl helpers:
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29
It is easy to build one in perl or as a shell script. I am suggesting to
build an external_acl helper which return "OK" when the sni matches or
no sni information exist.
You can use the following configuration or similar:
#
external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh
acl EXTACL external EXTACL
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# At first step peek all
ssl_bump peek step1 all
ssl_bump splice step2 EXTACL
ssl_bump bump all
Hello, or, if that's not present, look at the dNSName of certificate
being sent, check the access against url.txt, and either allow or deny.
In your case the server certificate informations will not work well. At
the time this information is available:
1) in peek mode, you can not bump any more
2) in stare mode, you can not splice any more.
There are exceptions to the above rules (for example in case the client
uses the same SSL library with squid) but the SSL protocol is enough
safe to not allow us to make something better than this.
Regards,
Christos
Ssl_bump does work well for most sites...and I understand we are
performing a man in the middle attack so it's not supposed to be easy.
Again my hope isn't really to perform a mitm...more of an access control
type thing. Thanks again Christos...I hope I explained this well
enough.
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users